diff options
-rw-r--r-- | etc/inc/auth.inc | 76 | ||||
-rwxr-xr-x | usr/local/www/system_usermanager_settings.php | 22 |
2 files changed, 64 insertions, 34 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 475be79..52f0922 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -60,6 +60,24 @@ function logout_session() { function getAllowedGroups($logged_in_user) { global $g, $config; + log_error("Getting groups for {$logged_in_user}."); + + /* return ldap groups if we are in ldap mode */ + if($config['system']['webgui']['backend'] == "ldap") { + $allowed_groups = ldap_get_groups($logged_in_user); + $fdny = fopen("/tmp/groups","w"); + fwrite($fdny, print_r($allowed, true)); + fclose($fdny); + foreach($config['system']['group'] as $group) { + if(in_array($group['name'], $allowed_groups)) { + foreach($group['pages'] as $page) { + $allowed[] = $page; + } + } + } + return $allowed; + } + $final_allowed = array(); foreach($config['system']['user'] as $username) { @@ -313,7 +331,7 @@ function getGroupHomePage($group = "") { function isSystemAdmin($username = "") { global $groupindex, $userindex, $config, $g; - + if ($username == "") { return 0; } $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name']; @@ -590,72 +608,84 @@ function passwd_backed($username, $passwd) { function ldap_get_groups($username) { global $config; + if(!$username) + return false; + + if(stristr($username, "@")) { + $username_split=split("\@", $username); + $username = $username_split[0]; + } + + log_error("Getting LDAP groups for {$username}."); + $ldapserver = $config['system']['webgui']['ldapserver']; $ldapbindun = $config['system']['webgui']['ldapbindun']; $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - $ldapsearchbase = $config['system']['webgui']['ldapsearchbase']; + $ldapfilter = $config['system']['webgui']['ldapfilter']; + $ldapsearchbase = "CN=Users,{$config['system']['webgui']['ldapsearchbase']}"; + $ldapfilter = str_replace("\$username", $username, $ldapfilter); + if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! LDAP could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()"); + log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()"); $status = htpasswd_backed($username, $passwd); return $status; } if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! LDAP could not bind to {$ldapserver}. Defaulting to built-in htpasswd_backed()"); + log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()"); $status = htpasswd_backed($username, $passwd); return $status; } - $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter); - if(!$search) - return array(); + $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter, array('memberOf')); $info = ldap_get_entries($ldap, $search); - $temp = fopen("/tmp/groupentries", "w"); - fwrite($temp, $info["count"] . " entries returned."); - fwrite($temp, print_r($info, true)); - fclose($temp); + foreach($info[0]['memberof'] as $member) { + if(strstr($member, "CN=") !== false) { + $membersplit = split(",", $member); + $memberof[] = str_replace("CN=", "", $membersplit[0]); + } + } /* Time to close LDAP connection */ ldap_close($ldap); - return $info; + log_error("Returning groups " . print_r($memberof,true) . " for user $username"); + + return $memberof; } function ldap_backed($username, $passwd) { global $config; + if(!$username) + return; + $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapsearchbase = $config['system']['webgui']['ldapsearchbase']; $ldapbindun = $config['system']['webgui']['ldapbindun']; $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - - if(!$ldapsearchbase) - log_error("WARNING! LDAP backend search base not defined."); if(!$ldapserver) { - log_error("ERROR! LDAP backend selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed()"); + log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings."); $status = htpasswd_backed($username, $passwd); return $status; } if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! LDAP could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()"); + log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings."); $status = htpasswd_backed($username, $passwd); return $status; } if (!($res = @ldap_bind($ldap, $username, $passwd))) { - log_error("ERROR! LDAP could not bind to {$ldapserver}. Defaulting to built-in htpasswd_backed()"); + log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings."); $status = htpasswd_backed($username, $passwd); return $status; } - - ldap_get_groups($username); + + log_error("$username logged in via LDAP."); /* At this point we are binded to LDAP so the user was auth'd okay. */ return true; diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index 76ef0d1..6aebc7b 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -3,6 +3,9 @@ /* part of pfSense (http://www.pfsense.org/) + Copyright (C) 2007 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + Copyright (C) 2007 Bill Marquette <bill.marquette@gmail.com> All rights reserved. @@ -27,15 +30,15 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + require("guiconfig.inc"); + $pconfig['session_timeout'] = &$config['system']['webgui']['session_timeout']; $pconfig['ldapserver'] = &$config['system']['webgui']['ldapserver']; $pconfig['backend'] = &$config['system']['webgui']['backend']; - $pconfig['ldapbindun'] = &$config['system']['webgui']['ldapbindun']; $pconfig['ldapbindpw'] = &$config['system']['webgui']['ldapbindpw']; - -//$pconfig['ldapfilter'] = &$config['system']['webgui']['ldapfilter']; +$pconfig['ldapfilter'] = &$config['system']['webgui']['ldapfilter']; $pconfig['ldapsearchbase'] = &$config['system']['webgui']['ldapsearchbase']; // Page title for main admin @@ -94,12 +97,10 @@ if ($_POST) { else unset($pconfig['ldapbindpw']); -/* if($_POST['ldapfilter']) $pconfig['ldapfilter'] = $_POST['ldapfilter']; else unset($pconfig['ldapfilter']); -*/ if($_POST['ldapsearchbase']) $pconfig['ldapsearchbase'] = $_POST['ldapsearchbase']; @@ -164,13 +165,14 @@ if(!$pconfig['backend']) <td width="22%" valign="top" class="vncell">LDAP Server:port</td> <td width="78%" class="vtable"> <input name="ldapserver" size="65" value="<?=htmlspecialchars($pconfig['ldapserver']);?>"> - <br/>Example: ldap.example.org:339 + <br/>Example: ldap.example.org:389 </td> </tr> <tr> <td width="22%" valign="top" class="vncell">LDAP Binding username</td> <td width="78%" class="vtable"> <input name="ldapbindun" size="65" value="<?=htmlspecialchars($pconfig['ldapbindun']);?>"> + Example: For Active Directory you would want to use format DOMAIN\username </td> </tr> <tr> @@ -179,22 +181,20 @@ if(!$pconfig['backend']) <input name="ldapbindpw" size="65" value="<?=htmlspecialchars($pconfig['ldapbindpw']);?>"> </td> </tr> -<?php -/* <tr> <td width="22%" valign="top" class="vncell">LDAP Filter</td> <td width="78%" class="vtable"> <input name="ldapfilter" size="65" value="<?=htmlspecialchars($pconfig['ldapfilter']);?>"> + <br/>Example: For Active Directory you would want to use (samaccountname=$username) </td> </tr> -*/ -?> <tr> <td width="22%" valign="top" class="vncell">LDAP Search base</td> <td width="78%" class="vtable"> <input name="ldapsearchbase" size="65" value="<?=htmlspecialchars($pconfig['ldapsearchbase']);?>"> + <br/>Example: DC=pfsense,DC=com </td> - </tr> + </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> |